Threat actors are actively exploiting a maximum-severity vulnerability in Flowise, the open-source platform for building AI agent workflows, according to The Hacker News citing findings from VulnCheck.
CVE-2025-59528 carries a CVSS score of 10.0. It allows remote code execution through Flowise’s CustomMCP node, which connects to external Model Context Protocol servers. The flaw exists in the convertToValidJSONString function, which passes user input directly to JavaScript’s Function() constructor without security validation, according to the GitHub advisory (GHSA-3gcm-f6qx-ff7p). Because this runs with full Node.js runtime privileges, an attacker gains access to child_process for command execution and fs for file system access.
The Attack Path
The exploitation chain is straightforward. The vulnerable API endpoint is /api/v1/node-load-method/customMCP, which accepts user input through the mcpServerConfig parameter. The input passes through a variable substitution step that applies no security filtering, then hits the dangerous Function('return ' + inputString)() call that executes arbitrary code in the global Node.js context.
“As only an API token is required, this poses an extreme security risk to business continuity and customer data,” Flowise stated in its advisory. Kim SooHyun discovered and reported the flaw. The fix shipped in Flowise version 3.0.6.
Active Exploitation and Exposure
VulnCheck reported that exploitation activity has originated from a single Starlink IP address, according to The Hacker News. More than 12,000 Flowise instances are currently exposed on the internet, giving attackers a large surface for opportunistic scanning and exploitation.
“This is a critical-severity bug in a popular AI platform used by a number of large corporations,” Caitlin Condon, vice president of security research at VulnCheck, told The Hacker News. “This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious.”
Third Strike for Flowise
CVE-2025-59528 is the third Flowise vulnerability to attract in-the-wild exploitation, following CVE-2025-8943 (CVSS 9.8, OS command RCE) and CVE-2025-26319 (CVSS 8.9, arbitrary file upload). The pattern points to a systemic issue: Flowise’s architecture processes user input at multiple points where code execution can occur, and each new integration surface (in this case, MCP server configuration) introduces another potential injection point.
The MCP Angle
The vulnerability is particularly relevant because it sits in Flowise’s Model Context Protocol integration layer. MCP has become the standard for connecting AI agents to external tools and data sources. Any platform that parses MCP server configurations from user input without sandboxing that parsing step faces the same class of risk. Flowise’s Function() constructor pattern is an extreme case, but the broader lesson applies: MCP configuration endpoints are trust boundaries, and they need to be treated as such.
Teams running Flowise should upgrade to version 3.0.6 or later immediately. Anyone running internet-exposed instances without API token authentication should assume compromise.